HTTP and HTTPS
HTTP stands for Hyper Text Transfer Protocol. It is the method by which data is communicated between server and client over the internet. HTTP is an application protocol, and is started once a Transport Layer (often TCP) connection is made.
Server and client communicate via HTTP requests, which consist of four parts:
HTTP communication is not encrypted, and is therefore not considered secure.
Enter HTTPS, which extends HTTP by adding a secure layer (TLS) between the HTTP protocol and the Transport layer. HTTPS requires client and server to verify their identities via handshake negotiation.
HTTPS communication is encrypted and is considered secure.
To summarize:
- HTTP is an application protocol traveling over a transport layer.
- HTTPS is what we call HTTP when there is a secure layer inserted in between application and transport layers.
HTTP/1.1, HTTP/2, and HTTP/3
There are multiple versions of the HTTP protocol in use today: HTTP/1.1, HTTP/2, and HTTP/3. As with most software, each new HTTP version builds upon the capabilities of the previous version.
HTTP/1.1
Released in 1997, just a year after the initial HTTP/1.0 version, HTTP/1.1 introduced the idea of connection persistence, where connections remain open until they are instructed to close. Previously, only a single request per connection was allowed. Connection persistence helps servers to avoid the problem of too many connections. And, in a secure (HTTPS) environment, it avoids the overhead of multiple SSL handshakes when one will do.
While more than half of the internet is still using HTTP/1.1, it is slowly being phased out in favor of HTTP/2.
HTTP/2
It took nearly twenty years for a new version of HTTP to be introduced. In 2015, HTTP/2 was derived from SPDY, an experimental protocol developed by Google. Among other important features (such as significantly improved header compression), HTTP/2 introduced the ability for each connection to handle multiple simultaneous requests via streams. Streams are further broken down into frames, a collection of which are sent from the server in a single packet, and reassembled at the client side. By supporting multiple simultaneous requests, HTTP/2 uses fewer of the client's network resources. This reduces server-side congestion.
As of February 2020, 43% of the top 10 million websites used HTTP/2, and usage is growing. Learn more about HTTP/2 here.
HTTP/3
HTTP/3's origins are in QUIC, a Google effort to improve HTTP/2 by transporting it encrypted over UDP. Originally referred to as "HTTP over QUIC," HTTP/3 is still being defined by the IETF. HTTP/3 replaces TCP with UDP. UDP does not have as many rules as TCP, which is convenient at the transport layer, but causes difficulties at the application layer, if not addressed. So, HTTP/3 implements some of the missing TCP features that are required for effective, secure communication. The head-of-line blocking problem that is prevalent in all TCP-based protocols is less of a problem with UDP and HTTP/3.
As of February 2020, just over 4% of the top 10 million websites were using HTTP/3, but this number is expected to grow as the protocol is defined. Learn more about HTTP/3 here.
Version Comparison
| HTTP/1.1 | HTTP/2 | HTTP/3 | |
|---|---|---|---|
| Introduced | 1997 | 2015 | 2018 |
| Top New Feature | Added chunked encoding to allow persistent connection for responses with unknown length. | Added virtual simultaneous streams with header compression. | Replaced TCP transport with UDP transport. |
| Connection Processing | Sequentially, one request at a time | May be prioritized, multiple requests at a time | May be prioritized, multiple requests at a time |
| Header Compression | None | HPACK | QPACK |
| Protocol Type | Text | Binary | Binary |
| Server Push | Not possible | Supported | Supported |
| HTTPS | Allowed but not required | Encouraged but not required | Required |
| Transport Layer | TCP | TCP | UDP |
| Usage | Still in common use | Growing in usage, 43% as of February 2020 | Still experimental, used by 4.1% as of February 2020 |